From 944cae7db3535e69c066ca7d13ae45dc9be7a231 Mon Sep 17 00:00:00 2001
From: auricom <27022259+auricom@users.noreply.github.com>
Date: Thu, 21 Aug 2025 02:13:15 +0200
Subject: [PATCH] feat: opnsense-dns

---
 .../cloudflare-dns/app/helmrelease.yaml       |  5 +-
 .../apps/network/cloudflare-dns/ks.yaml       |  8 --
 kubernetes/apps/network/kustomization.yaml    |  1 +
 .../opnsense-dns/app/externalsecret.yaml      | 20 +++++
 .../network/opnsense-dns/app/helmrelease.yaml | 88 +++++++++++++++++++
 .../opnsense-dns/app/kustomization.yaml       |  7 ++
 kubernetes/apps/network/opnsense-dns/ks.yaml  | 24 +++++
 7 files changed, 144 insertions(+), 9 deletions(-)
 create mode 100644 kubernetes/apps/network/opnsense-dns/app/externalsecret.yaml
 create mode 100644 kubernetes/apps/network/opnsense-dns/app/helmrelease.yaml
 create mode 100644 kubernetes/apps/network/opnsense-dns/app/kustomization.yaml
 create mode 100644 kubernetes/apps/network/opnsense-dns/ks.yaml

diff --git a/kubernetes/apps/network/cloudflare-dns/app/helmrelease.yaml b/kubernetes/apps/network/cloudflare-dns/app/helmrelease.yaml
index 9f005dd89..ba3a8543d 100644
--- a/kubernetes/apps/network/cloudflare-dns/app/helmrelease.yaml
+++ b/kubernetes/apps/network/cloudflare-dns/app/helmrelease.yaml
@@ -25,15 +25,18 @@ spec:
     name: cloudflare-dns
   install:
     remediation:
-      retries: -1
+      retries: 3
   upgrade:
     cleanupOnFail: true
     remediation:
+      strategy: rollback
       retries: 3
   values:
     fullnameOverride: *app
     provider:
       name: cloudflare
+    deploymentAnnotations:
+      reloader.stakater.com/auto: "true"
     env:
       - name: &name CF_API_TOKEN
         valueFrom:
diff --git a/kubernetes/apps/network/cloudflare-dns/ks.yaml b/kubernetes/apps/network/cloudflare-dns/ks.yaml
index b2502384a..11a4e2ae9 100644
--- a/kubernetes/apps/network/cloudflare-dns/ks.yaml
+++ b/kubernetes/apps/network/cloudflare-dns/ks.yaml
@@ -12,14 +12,6 @@ spec:
   dependsOn:
     - name: external-secrets-stores
       namespace: external-secrets
-  healthChecks:
-    - apiVersion: helm.toolkit.fluxcd.io/v2
-      kind: HelmRelease
-      name: *app
-      namespace: *namespace
-    - apiVersion: apiextensions.k8s.io/v1
-      kind: CustomResourceDefinition
-      name: dnsendpoints.externaldns.k8s.io
   interval: 1h
   path: ./kubernetes/apps/network/cloudflare-dns/app
   prune: true
diff --git a/kubernetes/apps/network/kustomization.yaml b/kubernetes/apps/network/kustomization.yaml
index 373857e76..b087340e8 100644
--- a/kubernetes/apps/network/kustomization.yaml
+++ b/kubernetes/apps/network/kustomization.yaml
@@ -11,3 +11,4 @@ resources:
   - ./envoy-gateway/ks.yaml
   - ./gateway-api-crds/ks.yaml
   - ./k8s-gateway/ks.yaml
+  - ./opnsense-dns/ks.yaml
diff --git a/kubernetes/apps/network/opnsense-dns/app/externalsecret.yaml b/kubernetes/apps/network/opnsense-dns/app/externalsecret.yaml
new file mode 100644
index 000000000..12d5e21bf
--- /dev/null
+++ b/kubernetes/apps/network/opnsense-dns/app/externalsecret.yaml
@@ -0,0 +1,20 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1.json
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: opnsense-dns
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: opnsense-dns-secret
+    template:
+      data:
+        OPNSENSE_API_KEY: "{{ .EXTERNAL_DNS_OPNSENSE_API_KEY }}"
+        OPNSENSE_API_SECRET: "{{ .EXTERNAL_DNS_OPNSENSE_API_SECRET }}"
+        OPNSENSE_HOST: "{{ .OPNSENSE_HOST }}"
+  dataFrom:
+    - extract:
+        key: opnsense
diff --git a/kubernetes/apps/network/opnsense-dns/app/helmrelease.yaml b/kubernetes/apps/network/opnsense-dns/app/helmrelease.yaml
new file mode 100644
index 000000000..ff0430318
--- /dev/null
+++ b/kubernetes/apps/network/opnsense-dns/app/helmrelease.yaml
@@ -0,0 +1,88 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: OCIRepository
+metadata:
+  name: opnsense-dns
+spec:
+  interval: 5m
+  layerSelector:
+    mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
+    operation: copy
+  ref:
+    tag: 1.18.0
+  url: oci://ghcr.io/home-operations/charts-mirror/external-dns
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app opnsense-dns
+spec:
+  interval: 1h
+  chartRef:
+    kind: OCIRepository
+    name: opnsense-dns
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  values:
+    fullnameOverride: *app
+    logLevel: debug
+    deploymentAnnotations:
+      reloader.stakater.com/auto: "true"
+    provider:
+      name: webhook
+      webhook:
+        image:
+          repository: ghcr.io/crutonjohn/external-dns-opnsense-webhook
+          tag: v0.1.0@sha256:72d4f5c79e515b8a70bb2e48f6472c746671a3ae3d8ad224aa686dd7192e1609
+        env:
+          - name: LOG_LEVEL
+            value: debug
+          - name: OPNSENSE_API_KEY
+            valueFrom:
+              secretKeyRef:
+                name: &secret opnsense-dns-secret
+                key: OPNSENSE_API_KEY
+          - name: OPNSENSE_API_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: *secret
+                key: OPNSENSE_API_SECRET
+          - name: OPNSENSE_HOST
+            valueFrom:
+              secretKeyRef:
+                name: *secret
+                key: OPNSENSE_HOST
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+          initialDelaySeconds: 10
+          timeoutSeconds: 5
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 8080
+          initialDelaySeconds: 10
+          timeoutSeconds: 5
+        resources:
+          requests:
+            memory: 20Mi
+            cpu: 10m
+          limits:
+            memory: 100Mi
+    policy: upsert-only
+    registry: noop
+    sources: ["gateway-httproute", "service"]
+    domainFilters: ["${SECRET_EXTERNAL_DOMAIN}"]
+    serviceMonitor:
+      enabled: true
+    podAnnotations:
+      secret.reloader.stakater.com/reload: *secret
diff --git a/kubernetes/apps/network/opnsense-dns/app/kustomization.yaml b/kubernetes/apps/network/opnsense-dns/app/kustomization.yaml
new file mode 100644
index 000000000..d6adbe135
--- /dev/null
+++ b/kubernetes/apps/network/opnsense-dns/app/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./externalsecret.yaml
+  - ./helmrelease.yaml
diff --git a/kubernetes/apps/network/opnsense-dns/ks.yaml b/kubernetes/apps/network/opnsense-dns/ks.yaml
new file mode 100644
index 000000000..56ff6f2e2
--- /dev/null
+++ b/kubernetes/apps/network/opnsense-dns/ks.yaml
@@ -0,0 +1,24 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app opnsense-dns
+  namespace: &namespace network
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: external-secrets-stores
+      namespace: external-secrets
+  interval: 1h
+  path: ./kubernetes/apps/network/opnsense-dns/app
+  prune: true
+  retryInterval: 2m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  targetNamespace: *namespace
+  timeout: 5m